Transparency, eVoting, and Copyright

eVoting highlights the trade-offs we make with copyright laws and transparency. To see how, let's think about how regular voting works: you sign your name on the register to prevent more than one person from voting at a time, you get a paper ballot and mark it (either by hand or with a punch), you turn in the ballot, and later its counted. (Sure, I'm simplifying it.) Every geek in the world says "Wow! I can build a system that's snazzier than that!" And that's the $64 question, can we build a computer based system that's got the same functionality and offers the same cross checks for integrity? David Dill (a Computer Science professor at Stanford and an old colleague from my formal verification days) doesn't think its all that easy. A story in the Christian Science Monitor quotes David:

"If you look at the consequences for democracy, it's terrifying. If we had a way to make [computerized voting] safe, believe me, we would. There's no way to run a reliable election without a verifiable paper trail - that's what these machines don't have."

Of course, balloting has always been a messy business and there's been ways to game the system. But I think that misses the point. If we're going to set out to make a better system, let's make a better system. That's when we run into copyright and transparency issues. Voting systems are made by vendors who respond to bids put out by election officials (your county clerk or state Secretary of State in most cases). The design of these systems is not typically open to the public. The result is a black box and someone who stands to make a lot of money from selling the device while saying "trust me."

Anyone who's done even a little computer security work knows that that's not how it works. The most secure systems are open because its only by social review, a kind of social proof, that you expose errors and hard to find bugs. That thinking runs counter to most people's intuition---most people believe that secrecy leads to security. So, following this reasoning, the most secure and trustworthy voting systems would be those that are open to public scrutiny. You can imagine the howls of protest that eVoting vendors are raising on that issue.

In fact, one manufacturer, Diebold, is using the DMCA (digital millennium copyright act) to stifle public review of its source code and internal documents that outline security problems. A group of students recently posted these documents and the source code on the Internet for all to see. Diebold responded with a cease and desist order. From a New York Times story (free registration required):

Diebold, however, says it is a case of copyright infringement, and has sent cease-and-desist orders to the students and, in many cases, their colleges, demanding that the 15,000 e-mail messages and memorandums be removed from each Web site. "We reserve the right to protect that which we feel is proprietary," a spokesman for Diebold, David Bear, said. The files circulating online include thousands of e-mail messages and memorandums dating to March 2003 from January 1999 that include discussions of bugs in Diebold's software and warnings that its computer network are poorly protected against hackers. Diebold has sold more than 33,000 machines, many of which have been used in elections.

Some universities bowed to the pressure and removed the files, but the students just moved them to the Freenet file sharing service. This is a perfect example of why file sharing and DMCA are about more than making sure Orrin Hatch gets his royalties. Copyrighted code is fundamentally different than copyrighted music. Music and books are perfectly transparent. Code is not transparent in the same way and nothing in the DMCA requires that it be made so. Secrecy might be OK for some things, but not for the code we run our country on.

A team of security experts from John Hopkins and Rice University reviewed the software and found security holes that would allow people to vote twice or even undo the votes of others. (Full Report). This might lead some to think we just need an independent review, but even that's not enough. New attacks and vulnerabilities are discovered regularly for well-known and thought-to-be-secure systems when they're subject to public scrutiny. A single review, no matter how smart the reviewers, isn't enough.

I do not believe that we should be willing to buy or use voting systems where the source code and design is not open for public review. I think there are companies that would be willing to work in this model, particularly if the contract provided some long term commitments. This is not Britney Spears we're talking about here---the integrity of our voting system is a fundamental component of our government. There's simply no reason that our voting system shouldn't be open to public scrutiny.

Making this happen is more difficult. There is not one election authority in the US, there are thousands and very few standards. The Help America Vote Act of 2002 contains some language that gets at standards, but nothing as blatant as making eVoting systems open source. This problem won't get solved just because its been pointed out. Like all public policy issues, making changes requires commitment and long sales cycles. You've got to be willing to educate local county commissioners and legislators over the course of years. Get started now. If this issue interests you, write to your legislators (you can write your congressional delegation too, but that won't do as much good in this case). Try not to sounds like a pompous ass, but someone who's genuinely concerned and willing to help. Show up at committee meetings. Group together with like-minded souls. Find a sympathetic ear in the State Election Office. Talk to your State's CIO. Talk to the Secretary of State (yes, they'll probably make an appointment with you). The point is: get involved.